fix(nocodb): reject /auth/user/me with 401 when supplied JWT is invalid

2026-06-01 23:02:12 +00:00 · 2026-05-28 11:43:14 +00:00
parent 2cf0de39e8
commit 4ef9130ab2
1 changed files with 12 additions and 0 deletions
--- a/packages/nocodb/src/modules/auth/auth.controller.ts
+++ b/packages/nocodb/src/modules/auth/auth.controller.ts
@@ -137,6 +137,18 @@ export class AuthController {
  ])
  @UseGuards(MetaApiLimiterGuard, GlobalGuard)
  async me(@Req() req: NcRequest) {
+    // GlobalGuard silently falls back to a guest user when JWT validation
+    // fails. If the caller supplied a JWT (xc-auth header or nc_token cookie)
+    // and we ended up as guest, the token is invalid/expired — surface 401
+    // so the client can refresh or sign out instead of consuming a guest
+    // identity that flips the UI's session state mid-flight.
+    if (
+      (req.headers?.['xc-auth'] || req.cookies?.nc_token) &&
+      (req.user as any)?.roles?.guest
+    ) {
+      NcError.unauthorized('Token Expired. Please login again.');
+    }
+
    const user = {
      ...req.user,
      roles: extractRolesObj(req.user.roles),